shim-15.4 for Isoo (2021-08-09)

[haobinnan]

Make sure you have provided the following information:

• link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  https://github.com/haobinnan/shim-review/tree/isoo-shim-20210809
• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added do vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

What organization or people are asking to have this signed:

• Qinhuangdao Yizhishu Software Development Co., Ltd.
• Isoo is a software developer for data recovery, disk utilities and system backup. https://isoo.com/
• Managing Director: Hao Binnan

What product or service is this for:

• This is Isoo’s Linux-based operating system. We are going to develop some function based on the OS, such as resize partition, back up & restore operating system, etc.

Please create your shim binaries starting with the 15.4 shim release tar file:

https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2

This matches https://github.com/rhboot/shim/releases/tag/15.4 and contains

the appropriate gnu-efi source.

Please confirm this as the origin your shim.

• This is based on shim 15.4

What's the justification that this really does need to be signed for the whole world to be able to boot it:

• Isoo wants to employ Secure Boot for building a trusted operating system from Shim to GRUB to the kernel to signed filesystem partitions. Secure Boot is the first step for this.
• Isoo would like customers to be able to run Isoo’s Linux-based system on any amd64(64Bit) and x86(32Bit) device without disabling Secure Boot.

How do you manage and protect the keys used in your SHIM?

• They're in an HSM

Do you use EV certificates as embedded certificates in the SHIM?

• No.

If you use new vendor_db functionality, are any hashes allow-listed, and if yes: for what binaries ?

• No vendor_db is used.

Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present in your kernel, if you boot chain includes a Linux kernel ?

• Yes.

if SHIM is loading GRUB2 bootloader, are CVEs CVE-2020-14372,

CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,

CVE-2021-20225, CVE-2021-20233, CVE-2020-10713, CVE-2020-14308,

CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705,

( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

and if you are shipping the shim_lock module CVE-2021-3418

fixed ?

• Yes.

"Please specifically confirm that you add a vendor specific SBAT entry for SBAT header in each binary that supports SBAT metadata

( grub2, fwupd, fwupdate, shim + all child shim binaries )" to shim review doc ?

Please provide exact SBAT entries for all SBAT binaries you are booting or planning to boot directly through shim

• SBAT for shim:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.isoo,1,Isoo,shim,15.4,https://www.isoo.com/

• SBAT for grub2:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.04,https://www.gnu.org/software/grub/
grub.ubuntu,1,Ubuntu,grub2,2.04-1ubuntu46,https://www.ubuntu.com/
grub.isoo,1,Isoo,grub2,2.04-isoo,https://www.isoo.com/

Were your old SHIM hashes provided to Microsoft ?

• Yes.

Did you change your certificate strategy, so that affected by CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,

CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2020-10713,

CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705 ( July 2020 grub2 CVE list + March 2021 grub2 CVE list )

grub2 bootloaders can not be verified ?

• Yes.

What exact implementation of Secureboot in grub2 ( if this is your bootloader ) you have ?

* Upstream grub2 shim_lock verifier or * Downstream RHEL/Fedora/Debian/Canonical like implementation ?

• Downstream RHEL/Fedora/Debian/Canonical like implementation

What is the origin and full version number of your bootloader (GRUB or other)?

• GRUB2 ubuntu version: import/2.04-1ubuntu46
• https://git.launchpad.net/ubuntu/+source/grub2/tag/?h=import/2.04-1ubuntu46
• No extra patches

If your SHIM launches any other components, please provide further details on what is launched

• Our shim does not load any other components.

If your GRUB2 launches any other binaries that are not Linux kernel in SecureBoot mode,

please provide further details on what is launched and how it enforces Secureboot lockdown

• It doesn't

If you are re-using a previously used (CA) certificate, you

will need to add the hashes of the previous GRUB2 binaries

exposed to the CVEs to vendor_dbx in shim in order to prevent

GRUB2 from being able to chainload those older GRUB2 binaries. If

you are changing to a new (CA) certificate, this does not

apply. Please describe your strategy.

• new CA certificate

How do the launched components prevent execution of unauthenticated code?

• N/A.

Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?

• No, our grub does not allow loading unsigned kernels when secure boot is enabled.

What kernel are you using? Which patches does it includes to enforce Secure Boot?

• Linux Kernel: 5.10.23
• https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/snapshot/fedora-kernel-5.10.23-100.fc32.tar.gz

What changes were made since your SHIM was last signed?

• Bug and security fixes.
• Changelog (since version 15-4).

shim-15.4-branch-update-.gitmodules-to-point-at-shim.patch
Fix-a-broken-file-header-on-ia32.patch
359.patch
361.patch
362.patch
364.patch
ubuntu-no-addend-vendor-dbx.patch
369.patch
372.patch
378.patch
379.patch
383.patch
387.patch
365.patch
393-1.patch
393-2.patch
396.patch
399-1.patch
399-2.patch

What is the SHA256 hash of your final SHIM binary?

• shimia32.efi.sha256sum: 644a362c6e9ded075fc715c4b55b7fed06268b3b70fc97344ed97a8792397808
• shimx64.efi.sha256sum: d641b85221fe448ede1e06984e9ccf46a058b17c0c50fccf32be665338134dfb

[haobinnan]

My previously accepted SHIM:
#168

[haobinnan]

Can the submission be reviewed
@steve-mcintyre

[haobinnan]

update SBAT for grub2

[haobinnan]

Can the submission be reviewed

[julian-klode]

Builds reproducible for me and changes look sensible. Can't accept though, as it's basically my patches in there which are pending review in #197. Will accept once #197 has been. Marking it as extra review wanted, as it does not necessarily have to be me to accept it after - i might forget

[steve-mcintyre]

Hi! Back from vacation and back to reviewing now...

I assume that now you've updated your branch to include the tag isoo-shim-20210809 (today!), you are aiming to get that latest version reviewed and signed?

[steve-mcintyre]

Either way, both versions reproduce here

[haobinnan]

thanks

[steve-mcintyre]

If you are asking for the later submission, please also update the date in the review title to be 100% clear!

[haobinnan]

If you are asking for the later submission, please also update the date in the review title to be 100% clear!

ok

[haobinnan]

May I know if my submission can be accepted today?
@steve-mcintyre

[steve-mcintyre]

Looking at the patches you#re applying, I think I need to add review comments on them directly. But I don't see anything here that obviously breaks security. So that's OK.

SBAT entries look good.
CA vert looks good.

Marking accepted.

[haobinnan]

thanks
@steve-mcintyre

[haobinnan]

complete